Microsoft pins recent SolarWinds attack on Chinese hacker group DEV-0322

Source: Daniel Rubino / Windows Central

The most recent issue to beleaguer SolarWinds, now that the company’s biggest nightmare of the year is in the rearview mirror, is the vulnerability found in its Serv-U Managed File Transfer Server and Serv-U Secured FTP Server products. The vulnerability leaves room for an exploit that gives threat actors control over server data and allows program installations. Microsoft has stated it believes it knows the identity of those responsible for taking advantage of SolarWinds’ misfortune.

Microsoft attributes the vulnerability exploitation to a group in China, referred to by Redmond as DEV-0322. That is not the name the group uses for itself, but rather, it is how Microsoft names it. This is the Microsoft Threat Intelligence Center’s (MSTIC) labeling process:

“MSTIC tracks and investigates a range of malicious cyber activities and operations. During the tracking and investigation phases prior to when MSTIC reaches high confidence about the origin or identity of the actor behind an operation, we refer to the unidentified threat actor as a “development group” or “DEV group” and assigns each DEV group a unique number (DEV-####) for tracking purposes.”

As for DEV-0322’s operations outside of troubling SolarWinds, Microsoft notes it has seen the group go after those in the U.S. Defense Industrial Base Sector and software companies. DEV-0322 utilizes VPNs and hijacked consumer routers in its infrastructure.

Microsoft’s blog post on the Chinese group outlines the technical details of the SolarWinds product vulnerability and gives those interested in the specifics a better look at what’s going on. Remember that SolarWinds already has a hotfix out for the aforementioned issues, so if you’re an affected party, be sure to protect yourself.